The Federal Trade Commission (FTC or Commission) has released a Notice of Proposed Rulemaking (NPRM) proposing important amendments to the Children's Online Privacy Protection Rule (Rule). Online businesses should note these proposed requirements, which, if adopted, soon could spread beyond collecting information from children. Comments on the NPRM are due on November 28.
The Rule, 16 C.F.R. 312, was issued pursuant to the Children's Online Privacy Protection Act (COPPA) and became effective on April 21, 2000. The Rule currently imposes data-collection restrictions on operators of websites or online services directed to children under 13 years of age and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. Most importantly, the Rule requires that operators provide notice to parents and obtain verifiable parental consent prior to collecting, using or disclosing personal information from children under 13 years of age. It also requires operators to keep any information that they collect from children secure and prohibits them from conditioning children's participation in online activities on the collection of additional personal data.
The FTC's proposed modifications to the Rule fall into four distinct categories: (1) definitions; (2) parental notice and consent mechanisms; (3) confidentiality and security of children's personal information; and (4) the role of self-regulatory "safe harbor" programs. Some of the most significant changes are highlighted below.
The FTC proposes a few key modifications to the definitions pertaining to the COPPA Rule. Notably, the Commission proposes to modify the term "collection" to clarify that it covers collection of online information both when an operator requires it and when an operator merely prompts or encourages a child to provide such information. The Commission also has proposed to update the definition of "personal information" to include both geolocation information and persistent identifiers used for functions other than the website's internal operations (e.g., tracking cookies used for behavioral advertising).
Parental Notice and Consent
The FTC proposes amendments to clarify the notice that operators must give parents prior to collecting children's personal information. It also proposes several new methods for operators to use in obtaining parental consent. These new methods include videoconferencing, use of government-issued identification checked against a database, and scans of completed parental consent forms. The Commission also proposes eliminating a less-reliable method of parental consent, known as "e-mail plus." These proposed methods would supplement the nonexclusive list of methods currently included in the COPPA Rule.
In addition, the FTC proposes establishing a voluntary 180-day notice and comment process whereby parties may seek approval of a new consent mechanism.
Confidentiality and Security Requirements
The FTC proposes making the Rule's existing confidentiality and security requirements significantly more stringent. First, it proposes adding a requirement that operators ensure that any service providers or third parties to whom they disclose a child's personal information have acceptable procedures in place to protect the confidentiality, security and integrity of that information. Second, the FTC proposes that operators retain information collected from children for only as long as is reasonably necessary to fulfill the purpose for which it was collected and properly delete that information afterward.
The FTC also proposes to strengthen its oversight of industry safe harbor programs. Its proposal includes a requirement that such programs audit their members at least once a year and report the results of those audits to the Commission.
Implications for Online Businesses
Businesses that operate online should monitor the COPPA rulemaking and consider participating—even if they do not collect personal information from children. The FTC's actions with respect to children's privacy do not occur in a vacuum. Indeed, many elements of the COPPA rulemaking echo recommendations made by FTC staff in a December 2010 Preliminary Report concerning online consumer privacy.
Should the proposed rules be adopted, components of the new COPPA framework that are not specific to children could be well on the way to becoming benchmarks for fair information practices generally. For example, if IP addresses and cookie identifiers—presently considered anonymous data—become "individually identifying" with respect to children, why would they not also personally identify adults? These identifiers are fundamental to online advertising, which underwrites many free and affordable online services. The Commission is targeting these identifiers even through it admits it is "not aware of any operator directing online advertising to children." Similarly, if industry can manage to function within built-in limits on data collection and retention with respect to children's data, would a general "privacy by design" requirement follow? If operators can curtail their use of tracking data and location data for children, why can't they for adults? Thus, the COPPA rulemaking could help lay a foundation for expanding requirements generally.
In the event the FTC were to use COPPA as a springboard to general privacy reform, the agency's enforcement power and substantial informal influence could have profound impact. Online advertising revenue, flexibility in providing online service and industry self-regulation could be impaired by the tougher privacy standard the FTC is on record supporting.
The FTC also steers dangerously close in the NPRM to eroding critical protections against intermediary liability provided in the Communications Decency Act (CDA). The agency seeks to hold online service providers responsible when they merely "enable" a child to make his or her personal information publicly available online—for example, on a social networking site or the child's personal website. In contrast, for 15 years, the CDA has protected online businesses from liability when they create a public platform for others—including children—to post their own content. The Internet has flourished under this protection, and proposed regulations that seek to require online actors to cull their users' content should be closely scrutinized, both in light of the CDA's legal requirements and its proven success as policy.